Security Corner

I thought you may be interested in the reaction from Juan Santana, CEO of Panda Security, on Intel’s unexpected $7.68 billion acquisition of McAfee this morning.

“It is an unexpected move that highlights the importance of IT security and underscores the health of the industry going forward. In a world where most appliances and gadgets that consumers use have some kind of Internet connectivity, security becomes a differentiator.

Intel recognizes this and they have taken a step forward to position themselves well for this evolution. Computer security can’t be ignored and this move highlights once again the need for it to be top of mind for consumers. We don’t expect any changes in the offering to consumers as a result of the transaction.”

My personal opinion (based on past experience with McAfee’s products) is that this won’t help Intel’s reputation any.

You get an envelope in the mail from American Consumer Opinion. Enclosed is a letter that starts like this:

Congratulation!!! You have been selected to participate in a paid Consumer Research Program. As one of the people selected to represent our firm; you will be acting as a Customer service Evaluator of selected Companies in your area.

There’s a check enclosed along with a “Customer Service Evaluation Form“. In this case, the check was for $1,895.00 made payable to a family member. Looks real and probably is real check security paper. The check is shown above. You can see a full-size version here.

It’s completely bogus. That should be obvious from the start. Misspelled words, improper capitalization, and using a semicolon as a comma just screams “I no speak English.” The supposed contact person, Mr. Chris Nelson, is later referred to in this manner: “. . . you contact Mr. Chris for activation.” Again, another mistake.

Further along in the letter are “instructions” on what to do: “CASH WITHDRAWAL $1,645 Your survey payment is $250; keep that in your account.” If you look at the letter, you’ll see $1,435.00 listed as “SURVEY FOR WESTERN UNION Receipt required.” Presumably, “Mr. Chris” is going to explain to you where you’re supposed to wire that money.

So, if you fall for this scam, assuming you have sufficient money in the bank to make the cash withdrawal before the check clears, you’ll wire $1,435 plus wire fees to someone and you’ll go shopping as instructed with the rest, thinking you just made an easy $250. A few days later, the “check” bounces and the bank debits your account. You’ve just been robbed.

I spoke with my banker about this earlier today and she told me that I would be surprised at how many people fall for these things. She sees them all the time. Of course, I’m not the least bit surprised.

I’d love to have a dollar for every time I’ve had to clean off FakeAV junk from a PC and then (diplomatically) explain to the user that they’ve been tricked. “But Windows Security Center popped up and said my PC was infected,” they cry. I feel for them; it’s definitely a slimy trick by slimy Internet criminals. So, I figured I’d better explain what this threat is and how to spot it before it lightens the wallet. First, a definition from Sophos’ excellent publication (recommended reading) What is FakeAV? :

FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class of malware that displays false alert messages to the victim concerning threats that do not really exist. These alerts will prompt users to visit a website where they will be asked to pay for these non-existent threats to be cleaned up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made.

For those of us who are savvy, these things are easy to spot; we’re usually aware of what AV software we use and know that what’s warning us isn’t our system. But, for the uniformed, such convincing names as those listed below usually work:

AntiSpyWarePro

Antivirus Plus

Antivirus Soft

Antivirus XP

Internet Security 2010

Malware Defense

Security Central

Security Tool

Winweb Security

XP Antivirus

Digital Protector

XP Defender

Pop-ups also catch people especially because they resemble what Windows would do. Here’s what one unlucky user had to say in a forum: “I learned a $90 lesson yesterday. If a window pops up (even if it looks just like Windows) and tells you your computer is ‘infected’, DON’T acknowledge it. Don’t click ‘Yes/Scan’, ‘No’ or anything. Just turn off your computer. ” To that, I would add one more step: Call your friendly local Geek for a good PC clean up and protect session. Here’s a shot of a typical “System Scan” screen.

And one more thing: Please don’t click on links or open files in emails if you don’t know where they came from, even if they look legitimate.

Since Microsoft began to ship versions of Windows with its firewall enabled by default (Windows XP Service Pack 2, August 25, 2004), there hasn’t been much attention put on system survival time. That’s not to say the issue is dead, it’s just not as big an issue as it used to be. I have often said that any system connected to the Internet is under attack 24/7; in fact, I have published some of my own statistics in the past (see Unpatched PC “0wn3d” in Four Minutes or 16 Hours; Which is it?). So, what is survival time? Thanks to dshield.org for this excellent definition: “The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.”

How long would your unpatched system survive today if it’s plugged directly into the Internet? Let’s look at some historical data:

August 30, 2004 (five days after SP2 release) – 58 minutes

February 6, 2007 (1 week after release of Windows Vista) – 42 minutes

October 29, 2009 (1 week after release of Windows 7) – 74 minutes

August 7, 2010 (5 days after release of out-of-cycle patch for .lnk vulnerability) – 78 minutes

This tells me that while things appear to be improving, you still have an average of around an hour to get an upatched machine up and running on the Internet, assuming you’re not behind a firewall or NAT router (which would be the average consumer, I think).

Yes, I know that this is an old topic and almost everyone knows about them by now. Or do they? In my tech support activities, I run into all different levels of PC savvy (and lack thereof). The other day, I was explaining in detail a phishing attack that a client had fallen for. I pointed out all of the obvious hints that the email was bogus and gave her some great tips on how to spot them. She was insistent that the email “came from [a family member]” and that’s why she opened it. I told her that it likely came from one of the spam botnets, not a family member and that the address was spoofed. I was greeted with one of the blankest blank stares I think I’ve ever seen, followed by “What the heck is a botnet?”

So, for those of you who may not know, here’s a rundown of what botnets are and where you can go for even more in depth information.

Botnets are networks of computers that criminal hackers (Crackers) have infected and grouped together under their control to propagate viruses, send illegal spam, and carry out attacks that cause web sites to crash. Most phishing emails like my client received are sent through spam botnets.

You can think of them in this way: “A botnet is comparable to compulsory military service for windows boxes” – Stromberg (http://project.honeynet.org/papers/bots/). The users often have no choice in the matter; their machines are surreptitiously infected when they click on a link or visit an infected website.

What makes botnets exceedingly bad is the difficulty in tracing them back to their creators as well as the ever-increasing use of them in extortion schemes. How are they used in extortion schemes? Imagine someone sending you messages to either pay up or see your web site crash.

Botnets can consist of tens, or hundreds of thousands of compromised machines. With such a large network, botnets can use Distributed denial-of-service (DDoS) as a method to cause mayhem and chaos. For example a small botnet with only 500 bots can bring corporate web sites to their knees. They do this by using the combined bandwidth of all the computers to send a continuous stream of requests to corporate systems and thereby cause their web site to appear offline.

One well-known technique to combat botnets is a honeypot. Honeypots help discover how attackers infiltrate systems. A Honeypot is essentially a decoy machine that one intends to be compromised in order to study how the hackers break the system. Unpatched Windows 2000 or XP machines make great honeypots given the ease with which one can take over such systems.

If you’re interested in finding out more about honeypots, a great site to visit is The Honeynet Project which describes its own site’s objective as “To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.”

Know your Enemy: Tracking Botnets is an in-depth paper written by several members of The Honeynet Project. Here’s what they say about it: “In this paper we look at a special kind of threat: the individuals and organizations who run botnets.”

Botnets are, after all, run by criminals for criminal purposes. It’s a fascinating study.

I have your DVD's ready but I'm burning the Blu-Ray's today. I expect them to be ready for tomorrow.

Here is a pictures of my wife and I at my wedding since you had mentioned you'd like to see a picture.

Marquita

One of the messages’ subject lines read, “FW: Resume as discussed.” Since I had just sent out a couple of them, I almost fell for that one:

Attachment: Resume.zip
I have forwarded your resume to Jerel for consideration. He is the Worley Parson’s director for NNSA work all over the country. Would you consider moving?

These look legitimate at first blush; but, as you might suspect, they contain malware. In the first case, the file contained IMG_1746.exe which Sunbelt Labs reports as FraudTool.Win32.AVSoft (v). The second one contained Resume.exe which is the same Trojan in a different guise.

With the completion of Hacking Skills Challenge #11 back in May (wow! time flies), we’ve now entered the realm of realistic missions. As always, things start out relatively easy, then escalate into the stratosphere.

But first, let me point out that when you go to the site, there is always a witty, poignant or otherwise pithy, but often true, quote. Here’s the one I just encountered: “If you ask the government for permission to protest it, you deserve to be told no.” –Manhattan Libertarian Party Chair, Jim Lesczynski.”

OK. So, let’s take the first challenge and see what gives:

Uncle Arnold’s Local Band Review
Your friend is being cheated out of hundreds of dollars. Help him make things even again!Difficulty rating: Easy.

So, here’s the challenge we get upon entering:

From: HeavyMetalRyan

Message: Hey man, I need a big favour from you. Remember that website I showed you once before? Uncle Arnold’s Band Review Page? Well, a long time ago I made a $500 bet with a friend that my band would be at the top of the list by the end of the year. Well, as you already know, two of my band members have died in a horrendous car accident… but this [expletive deleted] still insists that the bet is on!

I know you’re good with computers and stuff, so I was wondering, is there any way for you to hack this website and make my band on the top of the list? My band is Raging Inferno. Thanks a lot, man!

Sounds like a plan! Let’s get into it. It’s really almost too easy.

Visit the site and view the page source. Note that it uses “v.php” with the GET method to record the votes. There are two hidden inputs: PHPSESSID and id; you’ll need to use both of these. What we’re going to do is use the address bar to pass a very high value to the server and move Raging Inferno to the top.

Copy the value of PHPSESSID and note the id value (yours may be different than what I show here). Using the values for PHPSESSID and id, construct this URL: http://www.hackthissite.org/missions/realistic/1/v.php?PHPSESSID=abcaeadfc31a5c43b2534bf995c0553f&id=3&vote=99 and submit it.

If you’ve done everything right, you’ll see a blue button on the next page that says “Go On.” Clicking that button takes you to the next mission.

As old as this issue is, you’d think it would be solved by now; in fact, everyone thought it was. Many browsers and plug-ins protect against it. But it showed up in a different form that no one had considered until it was revealed at Black Hat. The hacker discovered that not only can you browse to your router’s web browser using the private gateway IP (192.168.xxx.xxx or whatever), you can also get there using its public IP–the address on WAN IP–even if you have disabled remote administration from the WAN side. Steve Gibson, in his usual, thorough manner, analyzed the matter in Security Now! episode 260.

And so the next-generation attack that was revealed last week, which I’m sure all of the various firmwares are in the process of scrambling around to fix right now, solves, well, what it does is it gets around the blocks against internal LAN access IPs by using your public IP. And of course the remote DNS server gets your public IP because that’s the IP from which the request comes to it. It’s emitted by your computer, asking for the IP address of attacker.com. Well, that comes from your public IP. So it’s able to return the public IP to the [attacker] script running in a plug-in, which then knows how to get around the use of private IPs on the LAN to access your router.

Everyone should immediately check this list to see if your router is vulnerable. If it is, then you should go to the manufacturer’s website to check for firmware updates to your router.

You probably heard all about Microsoft Security Bulletin MS10-046 – Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198). Microsoft actually issued a FixIt workaround last week; but, as many people found out, it wrecked the icons on their desktop causing them to display as white squares with no graphics.

On Monday, Microsoft issued a rare out-of-cycle patch to permanently fix the vulnerability. However, applying the patch does not disable the workaround, so those who used the FixIt solution will need to go here and use the “disable workaround” button. According to The Register, “. . . Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted. When the flaw first came to public attention three weeks ago, it was being used to attack SCADA — supervisory control and data acquisition — systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure.”

[Part 1 covered five ways to avoid online shopping scams. This second, and final, installment covers the remaining five. Again, this is a heavily-edited article whose original version is posted at http://www.tomtop.com/blog/antiscam/. I had to edit the article heavily because its English is quite fractured. In that source posting, there appears to be tacit consent to reprinting with attribution. The writer(s) posted this in the comments section of “How to Recognize and Avoid Email Scams – Part 3,” but it’s worthy of a post of its own.]

6. Check whether the merchant supports Business Bank Account payment–A company running a trustworthy shopping site will be a legitimate business and will have a business bank account. When you do a large wholesale business involving in large orders, there should be some option to make direct payment to the company bank account.

7. Check whether they have a customer support or feedback forum–Customer comments, views and experiences of using the product will help future customers to make a buying decision. An honest business will allow customers to write product reviews, forum, blog, and third-party social networks (facebook, twitter, YouTube) comments to express their views and opinions. It’s a good bet that if there is no provision for customer feedback at an online store, there’s something wrong. Steer clear.

8. Check whether the site is professionally designed–Details often determine success or failure. Professional B2C sites must pay close attention to details. The site will often provide coupons, an affiliate program, help before ordering , post-sale assistance and many other services. The site will also provide detailed company information and a clear return policy. Scam sites usually will not waste time on these details; of, if they appear to provide these things, they often won’t work properly.

9. Check whether they support face to face transactions–Does the company have a valid physical location? Can you actually visit their storefront and buy from them? This is essential when you are dealing in large transactions. If you cannot locate the business and have no way of meeting a real person face to face, then be careful.

10. Practice is the sole criterion for testing truth–If all of above are not sufficient to judge whether the business is a cheater or not, you can place a small order to test. Even if they are scamming, the loss willl not big. In fact, the scams will often ignore your small orders and directly refund or ask you to add more.

In general, Online shopping has brought us convenience and many other advantages. In the main, most online businesses are honest. For those who aren’t, if you keep in mind the 10 things here, you will be able to spot the scammers before they get your money.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.